UPDATED 2:50 pm EDT Friday with report that Apple has removed Adware Doctor from the Mac App Store.
Mac users, be careful what you install. A popular Mac ad blocker is reportedly stealing users' browsing history, and Apple has so far failed to do anything about it.
Screengrab credit: Patrick Wardle
Adware Doctor, currently the fourth-ranked top paid application in the Mac App Store, seems to be sending users' sensitive information to servers in China. The apparent violation of Apple's privacy rules was explained in a blog post published early Friday by Patrick Wardle, a highly-regarded security researcher who blogs and distributes free Mac security software at his website Objective-See.
"There is rather a MASSIVE privacy issue here. Let's face it, your browsing history provides a glimpse into almost every aspect of your life," Wardle wrote. "The fact that [this] application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up!"
To avoid being owned by Adware Doctor, don't install the program. If you already have, remove it from your system.
Tom's Guide has reached out to Apple for comment, and we will update this article if we hear back.
The flaw was first found by another researcher, "Privacy1st," who posted a video on YouTube under the name "John Maxx" on Aug. 5 and tweeted it out. A second video, posted Aug. 10 by Privacy1st/John Maxx, clearly shows the app nabbing browsing history and sending it to a remote server.
Privacy1st reached out to Thomas Reed, a Mac malware researcher at Malwarebytes, and asked for Reed's help in reporting the issue to Apple.
"That’s one of a number of things on the App Store I have reported to Apple, with no results," replied Reed.
Wardle, who told Threatpost he was also brought in to help, broke down the technical details of how the offending application collects browser data in his blog post. Adware Doctor bypasses Apple's application sandboxing security technique, which are designed to prevent programs from gaining access to system details and to each other's details.
In this case, Adware Doctor asks user permission to access certain files, and, if that permission is granted by the user, gains read and write access to that information. So when you download the $4.99 application and opens it for the first time, it will ask for access to your Home Directory and all the files stored within it.
Privacy1st discovered that Adware Blocker was sending users' browsing history and their software list to a server in China.
"This is getting every single process and application you have installed," he or she wrote in on-screen text in the second JohnMaxx YouTube video.
The developer of the app is listed as Yongming Zhang. Adware Doctor did not respond to our request for comment.
As Wardle states, any app collecting users' browsing history is a "massive" privacy issue.
"Adware Doctor contains several methods for collecting a variety of information about the system and user," Wardle wrote. "While some (such as a process list), perhaps have a legitimate reason for being collected by an anti-malware or anti-adware product, others such as the user's browsing history seem to be a blatant violation of the user's privacy (and of course Apple strict Mac App Store rules)."
This isn't the first time Adware Doctor has come under the spotlight for potentially breaching users' privacy. In 2016, the app was accused of violating Apple's App Store guidelines by attempting to "perform elevated applications."
It's typically a good idea to look at reviews before downloading anything from the Mac App Store, but that wouldn't have protected you in this case. Adware Doctor currently holds a 4.8 star rating after more than 7,000 reviews, although Wardle claims many of those reviews are fake.
This latest breach of privacy raises serious questions about Apple's application-vetting process. The tech giant, which is often praised for its strict security measures, especially on iOS, certified the Adware Doctor program that is now leaching Mac users' sensitive data.
Even worse, Apple was apparently told about Adware Doctor "a month ago" -- Wardle posted a copy of Apple's initial response, dated Aug. 7 -- but the company has yet to remove the program from the store.
UPDATE: Apple told Buzzfeed News that it has removed Adware Doctor from the Mac App Store. Tom's Guide has not been able to confirm that, because at least one app called Adware Doctor that sells for $4.99 still exists in the Mac App Store. However, that app has a different logo and lists a different developer from the one discussed above.